How to correctly sign an executable

Question

I have made a little tool. It is a console application that when running on Win7 brings the UAC security prompt. I tried to sign this EXE file in Visual Studio 2010 using the following steps:

1. Project properties
2. Signing
3. Create new key as shown below

The key file was successfully created, as you can see in the capture below.

Issues:

File is still being blocked by the UAC security prompt. When I checked the file whether signed or not using the signtool.exe, it tells me, no signature was found. Please correct me if I'm following the wrong steps.

Answer 1

Assembly signing != Authenticode signing.

To authenticode sign an assembly with signtool, you'll need a code signing certificate from a trusted issuing authority.

You can then issue the following post-build command to sign your executable:

"signtool.exe" sign /f "$(SolutionDir)myCertificate.pfx" /p certPassword /d "description" /du "http://myinfourl" /t "http://timeserver.from.cert.authority/" $(TargetPath)

Everything you need to know about Authenticode Code Signing

Answer 2

Basically you have 2 options, using a command that you manually execute or execute via a batch file

signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f "D:\Source\Certificates\CodeSign.pfx" /as /p MyPassword "{path to exe}"

becomes a bit frustrating after a while Better add it on your project's option page in the Build Events.

In your post build you would enter

call "C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f "D:\Source\Certificates\CodeSign.pfx" /p MyPassword  $(TargetPath)

the Macro $(TargetPath) will be filled with the path to your compiled exe or dll.

Now each time you compile you will get a signed file.

Would look something like this: